1. Field of the Invention
The present invention relates to an information processing apparatus which carries out processing concerning packet data including encrypted data, a control method therefor, and a storage medium.
2. Description of the Related Art
Conventionally, there has been proposed a technique in which when a network communication device connected to a communication channel of a network has a trouble, the cause of the trouble is investigated by sampling packets flowing through the channel. In this technique, a method is generally employed in which a dedicated device for acquiring packets is connected to a line concentrator, such as a HUB or the like, and packets flowing through a LAN (Local Area Network) are sampled using the dedicated device.
Data of packets transmitted and received by the network communication device under investigation are extracted from the sampled packets, and contents of the data of packets are analyzed to locate a point where data which does not meet the specified requirements is received or a point where response delay to reception of packets occurs. Then, to determine whether or not the located point is the cause of the trouble, investigation of the cause is performed, e.g. by transmitting the same packet to the network communication device to check if the trouble is reproduced, or by analyzing a source cord which is responsible for communication of the network communication device.
In recent years, network communication devices provided with a function of acquiring packets are coming into wide use. This makes it possible to acquire packets without using dedicated devices for extracting packets. Conventionally, in an environment where a switching HUB is introduced, it is impossible to properly perform sampling of packets even by connecting a dedicated device to the switching HUB.
This is because the switching HUB refers to information of a destination address in each network frame, and transfers packets (frames) only to a HUB port thereof to which a node having the address is connected, and hence even if a packet-acquiring device is connected to another HUB port, it is impossible to acquire packets. In a network communication device provided with the function of acquiring packets, it is possible to acquire packets at the node which is performing the packet communication, and hence it becomes possible to acquire packets even under such a switching HUB environment.
Further, in recent years, IPSec (IP Security) is becoming popular which is a technique for encrypting a communication channel of an IP (Internet Protocol) as a network layer protocol used on the Internet. IPSec is a name collectively referring to techniques for authentication, encryption, key exchange, etc. which provides a standard of protocols, a header structure, and so forth. In general, IPSec encrypts packets such that data in higher layers than the IP layer is encrypted.
IPSec has an advantageous feature that protocols in the higher layers than the IP layer need not be aware of IPSec. That is, TCP (Transport Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), and like other protocols are capable of operating without being aware of whether or not IPSec is operating.
Further, specifications of IPSec are defined in both of IPv4 (Internet Protocol Version 4) and an IPv6 (Internet Protocol Version 6). In using IPSec, a definition of what type of process should be performed on what type of packets is referred to as a security policy therefor. This security policy is a rule which defines packets to which IPSec is to be applied, in respect of addresses, higher protocols, and ports, and defines an authentication method and an encryption method applied to them.
A collection of security policies is referred to as a security policy database (SPD). An IPSec execution module can determine what type of IPSec process should be carried out on what type of packets by referring to the SPD. Since packets are encrypted in such an environment in which IPSec operates, the communication channel through which the packets flow becomes secure. Therefore, even if a third party attempts to tap packets on the network, the confidentiality of data is protected thanks to the encryption of packets.
To analyze such encrypted packets, it is a generally employed method that a packet acquirer is provided with information necessary for encryption and decryption of packets in advance, and performs decryption on the acquired encrypted packets based on the information.
Examples of the above-mentioned method include a technique proposed in Japanese Laid-Open Patent Publication No. 2006-277518. According to the technique proposed in this publication, KVM-related packets flowing through a network are sampled, and if the packets are encrypted, the packets are decrypted based on information acquired in advance to record data of the decrypted packets. This makes it possible to maintain the communication channel in the secure encrypted state, and capture decrypted data.
However, in the capturing of packets performed under an environment where the above-mentioned IPSec is introduced, there is a problem which is encountered in a case where all data of the network frames are desired to be captured. When the network communication device having a function of acquiring packets performs communication by IPSec, packets received by the network communication device are in a state in which data thereof in the higher layers than the IP layer is encrypted by IPSec. The encrypted part of the packets is decrypted by the IPSec module which operates within the IP stack.
On the other hand, in a general packet-capturing method, data of received packets is captured at a network card driver level. By acquiring data of the received packet from the network card driver, it is possible to acquire data of the received packets from the data link layer thereof without leaving out any data. Therefore, as for the packet acquiring function which is required to acquire all data of the received packets, it is necessary to acquire data at the network card driver level.
However, the network card driver is placed at a lower level than the IP stack, and hence the data acquired from the network card driver is in a state encrypted by IPSec. That is, even if received packets are acquired, data of the receive packets in the layers higher than the IP layer is encrypted, and hence it is impossible to obtain information useful for analysis of the packets. This is a problem that is not encountered in a case where data desired to be acquired for analysis belongs to layers higher than the IP layer, such as KVM-related packets, as proposed in the technique described in Japanese Laid-Open Patent Publication No. 2006-277518. This is because if an object to be analyzed is data in higher layers than the IP layer, it is only necessary to acquire raw data which is obtained by decrypting the encrypted data by IPSec.
However, in the case of acquisition of packets which is carried out for the purpose of analysis of a trouble in a network communication device, it is demanded to acquire all network frame data, and hence it is necessary to acquire data before decryption at the network card driver level, which brings about a problem that the acquired data is in an encrypted state. Therefore, the conventional technique has a problem in data analysis.